journald: make sure journal_file_open() doesn't leave a corrupted file around after failing

This can be problematic especially when there's no more free disk
space. Consider the following:.

When disk space becomes sparse, writting to the system journal can lead to
error. In this case journald attempts to make room by rotating the journals,
which consists in archiving online journals and opening new ones.

However opening new files is likely to fail too and in this case
journal_file_open() leaves half initialized file around but in online
state. Then the error is propagated and journald switches into volatile mode.

Next time a new message is received by journald, it tries to open the
persistent system journal file to switch automatically back to persistent
mode.

When opening the system journal, journal_file_open(), called by
managed_journal_file_open_reliably(), finds the persistent system journal left
previously and assumes that it was uncleanly closed and considers it as
corrupted. The error is reported to managed_journal_file_open_reliably(), which
backs the file up and attempts to create a new system file, which fails and
leaves a corrupted system file again.

Since this is done for each message received by journald, /var/log/message can
be filled with backup files pretty quickly.

To prevent this, the patch makes sure to delete the newly created file in case
of error.

1 files changed, 3 insertions, 0 deletions

diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index b0f552500c..e72f041bdc 100644
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -3585,6 +3585,9 @@ fail:
 
         (void) journal_file_close(f);
 
+        if (newly_created && fd < 0)
+                (void) unlink(fname);
+
         return r;
 }